Insecure Direct Object Reference (IDOR)
IDOR occurs when an application exposes direct references to internal objects (database IDs, filenames) without verifying the requesting user is authorized to access that object. Changing one number in a URL can expose other users' data.
Request
GET /api/orders/? HTTP/1.1
Server Response
-
Exposed Data
user_id-
username-
email-
order_id-
total-
auth_check-
Fix: Authorization Check
-- Vulnerable:
SELECT * FROM orders WHERE id = ?
-- Fixed:
SELECT * FROM orders
WHERE id = ? AND user_id = session.user_id
Event Log